Description

A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the p6spy (3.8.6) jar in the classpath, and an attacker can find an RMI service endpoint to access, it is possible to make the service execute a malicious payload. This issue exists because of com.p6spy.engine.spy.P6DataSource mishandling.

Remediation

References

https://access.redhat.com/errata/RHSA-2020:0159

https://access.redhat.com/errata/RHSA-2020:0160

https://access.redhat.com/errata/RHSA-2020:0161

https://access.redhat.com/errata/RHSA-2020:0164

https://access.redhat.com/errata/RHSA-2020:0445

https://github.com/FasterXML/jackson-databind/issues/2478

https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f%40%3Cdev.drill.apache.org%3E

https://lists.apache.org/thread.html/5ec8d8d485c2c8ac55ea425f4cd96596ef37312532712639712ebcdd%40%3Ccommits.iceberg.apache.org%3E

https://lists.apache.org/thread.html/6788e4c991f75b89d290ad06b463fcd30bcae99fee610345a35b7bc6%40%3Cissues.iceberg.apache.org%3E

https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442%40%3Cdev.drill.apache.org%3E

https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc%40%3Cissues.drill.apache.org%3E

https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0%40%3Cissues.bookkeeper.apache.org%3E

https://lists.apache.org/thread.html/r392099ed2757ff2e383b10440594e914d080511d7da1c8fed0612c1f%40%3Ccommits.druid.apache.org%3E

https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2%40%3Cissues.geode.apache.org%3E

https://lists.debian.org/debian-lts-announce/2019/10/msg00001.html

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Q7CANA7KV53JROZDX5Z5P26UG5VN2K43/

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TH5VFUN4P7CCIP7KSEXYA5MUTFCUDUJT/

https://medium.com/%40cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062

https://seclists.org/bugtraq/2019/Oct/6

https://security.netapp.com/advisory/ntap-20191017-0006/

https://www.debian.org/security/2019/dsa-4542

https://www.oracle.com//security-alerts/cpujul2021.html

https://www.oracle.com/security-alerts/cpuapr2020.html

https://www.oracle.com/security-alerts/cpujan2020.html

https://www.oracle.com/security-alerts/cpujul2020.html

https://www.oracle.com/security-alerts/cpuoct2020.html

Related Vulnerabilities

CVE-2022-0508 Vulnerability in npm package @peertube/embed-api

CVE-2017-12626 Vulnerability in maven package org.apache.poi:poi-scratchpad

CVE-2019-1003077 Vulnerability in maven package org.jenkins-ci.plugins:audit2db

CVE-2014-4611 Vulnerability in maven package net.jpountz.lz4:lz4

CVE-2019-10795 Vulnerability in maven package org.webjars.npm:undefsafe

Severity

Critical

Classification

CWE-502 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Third Party Advisory Patch Mailing List Issue Tracking